{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,8]],"date-time":"2026-07-08T23:21:48Z","timestamp":1783552908973,"version":"3.55.0"},"reference-count":173,"publisher":"Association for Computing Machinery (ACM)","issue":"9","license":[{"start":{"date-parts":[[2021,10,8]],"date-time":"2021-10-08T00:00:00Z","timestamp":1633651200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["61802332, 61807028, and 61772449"],"award-info":[{"award-number":["61802332, 61807028, and 61772449"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Natural Science Foundation of Hebei Province P. R. China","award":["F2019203120"],"award-info":[{"award-number":["F2019203120"]}]},{"name":"Doctoral Foundation Program of Yanshan University","award":["BL18012"],"award-info":[{"award-number":["BL18012"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2022,12,31]]},"abstract":"<jats:p>Most existing surveys and reviews on web application vulnerability detection (WAVD) approaches focus on comparing and summarizing the approaches\u2019 technical details. Although some studies have analyzed the efficiency and effectiveness of specific methods, there is a lack of a comprehensive and systematic analysis of the efficiency and effectiveness of various WAVD approaches. We conducted a systematic literature review (SLR) of WAVD approaches and analyzed their efficiency and effectiveness. We identified 105 primary studies out of 775 WAVD articles published between January 2008 and June 2019. Our study identified 10 categories of artifacts analyzed by the WAVD approaches and 8 categories of WAVD meta-approaches for analyzing the artifacts. Our study\u2019s results also summarized and compared the effectiveness and efficiency of different WAVD approaches on detecting specific categories of web application vulnerabilities and which web applications and test suites are used to evaluate the WAVD approaches. To our knowledge, this is the first SLR that focuses on summarizing the effectiveness and efficiencies of WAVD approaches. Our study results can help security engineers choose and compare WAVD tools and help researchers identify research gaps.<\/jats:p>","DOI":"10.1145\/3474553","type":"journal-article","created":{"date-parts":[[2021,10,8]],"date-time":"2021-10-08T22:02:57Z","timestamp":1633730577000},"page":"1-35","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":30,"title":["Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review"],"prefix":"10.1145","volume":"54","author":[{"given":"Bing","family":"Zhang","sequence":"first","affiliation":[{"name":"School of Information Science and Engineering, Yanshan University, Hebei Province, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jingyue","family":"Li","sequence":"additional","affiliation":[{"name":"Norwegian University of Science and Technology, Trondheim, Norway"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jiadong","family":"Ren","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering, Yanshan University, Hebei Province, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Guoyan","family":"Huang","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering, Yanshan University, Hebei Province, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2021,10,8]]},"reference":[{"key":"e_1_2_2_1_1","volume-title":"The Ten Most Critical Web Application Security Risks. Retrieved on","author":"OWASP TOP.","year":"2021","unstructured":"OWASP TOP. 2010\u20132017. The Ten Most Critical Web Application Security Risks. Retrieved on 30 June , 2021 from https:\/\/owasp.org\/www-project-top-ten\/2017\/Top_10. OWASP TOP. 2010\u20132017. The Ten Most Critical Web Application Security Risks. Retrieved on 30 June, 2021 from https:\/\/owasp.org\/www-project-top-ten\/2017\/Top_10."},{"key":"e_1_2_2_2_1","volume-title":"Proceedings of the Hawaii International Conference on System Sciences. 4878\u20134886","author":"Yu F.","unstructured":"F. Yu and Y. Y. Tung . 2014. Patcher: An online service for detecting, viewing and patching web application vulnerabilities . In Proceedings of the Hawaii International Conference on System Sciences. 4878\u20134886 . F. Yu and Y. Y. Tung. 2014. Patcher: An online service for detecting, viewing and patching web application vulnerabilities. In Proceedings of the Hawaii International Conference on System Sciences. 4878\u20134886."},{"key":"e_1_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.5120\/18877-0144"},{"key":"e_1_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2541315"},{"key":"e_1_2_2_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2006.43"},{"key":"e_1_2_2_6_1","doi-asserted-by":"crossref","unstructured":"Julian Thom\u00e9 L. K. Shar D. Bianculli and L. Briand. 2018. Security slicing for auditing common injection vulnerabilities. J. Syst. Softw. 137 (Mar. 2018) 766\u2013783.  Julian Thom\u00e9 L. K. Shar D. Bianculli and L. Briand. 2018. Security slicing for auditing common injection vulnerabilities. J. Syst. Softw. 137 (Mar. 2018) 766\u2013783.","DOI":"10.1016\/j.jss.2017.02.040"},{"key":"e_1_2_2_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2015.2457411"},{"key":"e_1_2_2_8_1","volume-title":"Proceedings of the International Conference on Availability, Reliability and Security. 438\u2013445","author":"T\u00f8ndel Inger A.","unstructured":"Inger A. T\u00f8ndel , J. Jensen , and L. R\u00f8stad . 2010. Combining misuse cases with attack trees and security activity models . In Proceedings of the International Conference on Availability, Reliability and Security. 438\u2013445 . Inger A. T\u00f8ndel, J. Jensen, and L. R\u00f8stad. 2010. Combining misuse cases with attack trees and security activity models. In Proceedings of the International Conference on Availability, Reliability and Security. 438\u2013445."},{"key":"e_1_2_2_9_1","volume-title":"Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.","author":"Muthukumaran D.","unstructured":"D. Muthukumaran , D. O\u2019Keeffe , C. Priebe , and D. Eyers . 2015. FlowWatcher: Defending against data disclosure vulnerabilities in web applications . In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. D. Muthukumaran, D. O\u2019Keeffe, C. Priebe, and D. Eyers. 2015. FlowWatcher: Defending against data disclosure vulnerabilities in web applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security."},{"key":"e_1_2_2_10_1","first-page":"723","article-title":"Experimentation and validation of web application\u2019s vulnerability using security testing method. Lecture Notes in Electrical Engineering, Computer Science and its Applications","volume":"203","author":"Lee Taeseung","year":"2012","unstructured":"Taeseung Lee , G. Won , S. Cho , N. Park , and D. Won . 2012 . Experimentation and validation of web application\u2019s vulnerability using security testing method. Lecture Notes in Electrical Engineering, Computer Science and its Applications , Springer Dordrecht , 203 (2012), 723 \u2013 731 Taeseung Lee, G. Won, S. Cho, N. Park, and D. Won. 2012. Experimentation and validation of web application\u2019s vulnerability using security testing method. Lecture Notes in Electrical Engineering, Computer Science and its Applications, Springer Dordrecht, 203(2012), 723\u2013731","journal-title":"Springer Dordrecht"},{"key":"e_1_2_2_11_1","volume-title":"Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy. 139\u2013141","author":"Amira A.","unstructured":"A. Amira , A. Ouadjaout , A. Derhab , and N. Badache . 2017. Sound and static analysis of session fixation vulnerabilities in PHP web applications . In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy. 139\u2013141 . A. Amira, A. Ouadjaout, A. Derhab, and N. Badache. 2017. Sound and static analysis of session fixation vulnerabilities in PHP web applications. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy. 139\u2013141."},{"key":"e_1_2_2_12_1","volume-title":"Proceedings of the IEEE 9th International Conference on Communication Software and Networks (ICCSN). IEEE, 1138\u20131141","author":"Yan Xuexiong X.","unstructured":"Xuexiong X. Yan , H. T. Ma , and Q. X. Wang . 2017. A static backward taint data analysis method for detecting web application vulnerabilities . In Proceedings of the IEEE 9th International Conference on Communication Software and Networks (ICCSN). IEEE, 1138\u20131141 . Xuexiong X. Yan, H. T. Ma, and Q. X. Wang. 2017. A static backward taint data analysis method for detecting web application vulnerabilities. In Proceedings of the IEEE 9th International Conference on Communication Software and Networks (ICCSN). IEEE, 1138\u20131141."},{"key":"e_1_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/2011304.2011305"},{"key":"e_1_2_2_14_1","doi-asserted-by":"crossref","unstructured":"Cagatay Catal A. Akbulut E. Ekenoglu and M. Alemdaroglu. 2017. Development of a software vulnerability prediction web service based on artificial neural networks. U. Kang (Ed.) Springer International Publishing AG 59\u201367.  Cagatay Catal A. Akbulut E. Ekenoglu and M. Alemdaroglu. 2017. Development of a software vulnerability prediction web service based on artificial neural networks. U. Kang (Ed.) Springer International Publishing AG 59\u201367.","DOI":"10.1007\/978-3-319-67274-8_6"},{"key":"e_1_2_2_15_1","volume-title":"Proceedings of the 40th Computer Software and Applications Conference.IEEE, 143\u2013153","author":"Wen Shuo","unstructured":"Shuo Wen , Y. Xue , J. Xu , H. Yang , X. Li , W. Song , and G. Si . 2016. Toward exploiting access control vulnerabilities within MongoDB backend web applications . In Proceedings of the 40th Computer Software and Applications Conference.IEEE, 143\u2013153 . Shuo Wen, Y. Xue, J. Xu, H. Yang, X. Li, W. Song, and G. Si. 2016. Toward exploiting access control vulnerabilities within MongoDB backend web applications. In Proceedings of the 40th Computer Software and Applications Conference.IEEE, 143\u2013153."},{"key":"e_1_2_2_16_1","first-page":"12","article-title":"Web unique method (WUM): An open source blackbox scanner for detecting web vulnerabilities","volume":"8","author":"Khalid M. N.","year":"2017","unstructured":"M. N. Khalid , M. Iqbal , M. T. Alam , V. Jain , H. Mirza , and K. Rasheed . 2017 . Web unique method (WUM): An open source blackbox scanner for detecting web vulnerabilities . Int. J. Adv. Comput. Sci. Applic. 8 , 12 (Dec. 2017), 411\u2013417. M. N. Khalid, M. Iqbal, M. T. Alam, V. Jain, H. Mirza, and K. Rasheed. 2017. Web unique method (WUM): An open source blackbox scanner for detecting web vulnerabilities. Int. J. Adv. Comput. Sci. Applic. 8, 12 (Dec. 2017), 411\u2013417.","journal-title":"Int. J. Adv. Comput. Sci. Applic."},{"key":"e_1_2_2_17_1","volume-title":"Proceedings of the International Conference on Information and Communications Technologies (ICT).","author":"Wang C.","unstructured":"C. Wang , L. Liu , and Q. Liu . 2014. Automatic fuzz testing of web service vulnerability . In Proceedings of the International Conference on Information and Communications Technologies (ICT). C. Wang, L. Liu, and Q. Liu. 2014. Automatic fuzz testing of web service vulnerability. In Proceedings of the International Conference on Information and Communications Technologies (ICT)."},{"key":"e_1_2_2_18_1","volume-title":"Proceedings of the International Conference on Global Security, Safety, and Sustainability, Springer, Cham, 160\u2013171","author":"Awang Nor F.","unstructured":"Nor F. Awang and A. A. Manaf . 2015. Automated security testing framework for detecting SQL injection vulnerability in web application . In Proceedings of the International Conference on Global Security, Safety, and Sustainability, Springer, Cham, 160\u2013171 . Nor F. Awang and A. A. Manaf. 2015. Automated security testing framework for detecting SQL injection vulnerability in web application. In Proceedings of the International Conference on Global Security, Safety, and Sustainability, Springer, Cham, 160\u2013171."},{"key":"e_1_2_2_19_1","volume-title":"Proceedings of the IEEE International Conference Services Computing (SCC\u201911)","author":"Antunes N.","unstructured":"N. Antunes and M. Vieira . 2011. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services . In Proceedings of the IEEE International Conference Services Computing (SCC\u201911) , IEEE CS, 104\u2013111. N. Antunes and M. Vieira. 2011. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In Proceedings of the IEEE International Conference Services Computing (SCC\u201911), IEEE CS, 104\u2013111."},{"key":"e_1_2_2_20_1","volume-title":"Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. 43\u201349","author":"Ciampa Angelo","unstructured":"Angelo Ciampa , C. A. Visaggio , and M. D. Penta . 2010. A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications . In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. 43\u201349 . Angelo Ciampa, C. A. Visaggio, and M. D. Penta. 2010. A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. 43\u201349."},{"key":"e_1_2_2_21_1","volume-title":"Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 616\u2013628","author":"Olivo O.","unstructured":"O. Olivo , I. Dillig , and C. Lin . 2015. Detecting and exploiting second order denial-of-service vulnerabilities in web applications . In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 616\u2013628 . O. Olivo, I. Dillig, and C. Lin. 2015. Detecting and exploiting second order denial-of-service vulnerabilities in web applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 616\u2013628."},{"key":"e_1_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2501654.2501663"},{"key":"e_1_2_2_23_1","volume-title":"Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI). 2010\u20132015","author":"Gupta M. K.","unstructured":"M. K. Gupta , M. C. Govil , G. Singh , and P. Sharma . 2015. XSSDM: Towards detection and mitigation of cross-site scripting vulnerabilities in web applications . In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI). 2010\u20132015 . M. K. Gupta, M. C. Govil, G. Singh, and P. Sharma. 2015. XSSDM: Towards detection and mitigation of cross-site scripting vulnerabilities in web applications. In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI). 2010\u20132015."},{"key":"e_1_2_2_24_1","volume-title":"Proceedings of the Symposium on Requirements Engineering for Information Security.","author":"Debbabi M.","unstructured":"M. Debbabi , M. Girard , and L. Poulin . 2001. Dynamic monitoring of malicious activity in software systems . In Proceedings of the Symposium on Requirements Engineering for Information Security. M. Debbabi, M. Girard, and L. Poulin. 2001. Dynamic monitoring of malicious activity in software systems. In Proceedings of the Symposium on Requirements Engineering for Information Security."},{"key":"e_1_2_2_25_1","volume-title":"Proceedings of the 10th IASTED International Conference on Software Engineering and Applications. 178\u201318","author":"Oladimeji E. A.","unstructured":"E. A. Oladimeji , S. Supakkul , and L. Chung . 2006. Security threat modeling and analysis: A Goal-oriented approach . In Proceedings of the 10th IASTED International Conference on Software Engineering and Applications. 178\u201318 . E. A. Oladimeji, S. Supakkul, and L. Chung. 2006. Security threat modeling and analysis: A Goal-oriented approach. In Proceedings of the 10th IASTED International Conference on Software Engineering and Applications. 178\u201318."},{"key":"e_1_2_2_26_1","volume-title":"Proceedings of the American Society for Quality ControlAnnual Quality Congress. 32\u201339","author":"Linda W.","year":"2020","unstructured":"W. Linda . 2020 . Software risk management . Proceedings of the American Society for Quality ControlAnnual Quality Congress. 32\u201339 . W. Linda. 2020. Software risk management. Proceedings of the American Society for Quality ControlAnnual Quality Congress. 32\u201339."},{"key":"e_1_2_2_27_1","volume-title":"Optical and Wireless Technologies","volume":"472","author":"Jyotiyana Priya","unstructured":"Priya Jyotiyana and S. Maheshwari . 2018. Techniques to detect clickjacking vulnerability in web pages . In Optical and Wireless Technologies , Vol. 472 , Springer Singapore, 615\u2013624. Priya Jyotiyana and S. Maheshwari. 2018. Techniques to detect clickjacking vulnerability in web pages. In Optical and Wireless Technologies, Vol. 472, Springer Singapore, 615\u2013624."},{"key":"e_1_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1088\/1742-6596\/933\/1\/012011"},{"key":"e_1_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2014.07.010"},{"key":"e_1_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.19101\/IJACR.2018.838012"},{"key":"e_1_2_2_31_1","volume-title":"Proceedings of the 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO). IEEE, 451\u2013455","author":"Kumar Sandeep","unstructured":"Sandeep Kumar , R. Mahajan , N. Kumar , and S. K. Khatri . 2017. A study on web application security and detecting security vulnerabilities . In Proceedings of the 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO). IEEE, 451\u2013455 . Sandeep Kumar, R. Mahajan, N. Kumar, and S. K. Khatri. 2017. A study on web application security and detecting security vulnerabilities. In Proceedings of the 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO). IEEE, 451\u2013455."},{"key":"e_1_2_2_32_1","volume-title":"Proceedings of the IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE\u201914)","author":"Gupta Mukesh K.","unstructured":"Mukesh K. Gupta , M. C. Govil , and G. Singh . 2014. Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: A survey . In Proceedings of the IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE\u201914) . Mukesh K. Gupta, M. C. Govil, and G. Singh. 2014. Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: A survey. In Proceedings of the IEEE International Conference on Recent Advances and Innovations in Engineering (ICRAIE\u201914)."},{"key":"e_1_2_2_33_1","volume-title":"Proceedings of the International Conference on Communication Systems and Network Technologies. IEEE, 453\u2013458","author":"Johari Rahul","unstructured":"Rahul Johari and P. Sharma . 2012. A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection . In Proceedings of the International Conference on Communication Systems and Network Technologies. IEEE, 453\u2013458 . Rahul Johari and P. Sharma. 2012. A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In Proceedings of the International Conference on Communication Systems and Network Technologies. IEEE, 453\u2013458."},{"key":"e_1_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3038923"},{"key":"e_1_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2010.114"},{"key":"e_1_2_2_36_1","first-page":"1","article-title":"Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: Present and future challenges","volume":"7","author":"Gupta Shashank","year":"2017","unstructured":"Shashank Gupta and B. B. Gupta . 2017 . Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: Present and future challenges . Int. J. Cloud Applic. Comput. 7 , 3 (2017), 1 \u2013 43 . Shashank Gupta and B. B. Gupta. 2017. Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: Present and future challenges. Int. J. Cloud Applic. Comput. 7, 3 (2017), 1\u201343.","journal-title":"Int. J. Cloud Applic. Comput."},{"key":"e_1_2_2_37_1","doi-asserted-by":"crossref","unstructured":"G. Deepa and P. S. Thilagam. 2016. Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Inf. Softw. Technol. 74 (June 2016) 160\u2013180.  G. Deepa and P. S. Thilagam. 2016. Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Inf. Softw. Technol. 74 (June 2016) 160\u2013180.","DOI":"10.1016\/j.infsof.2016.02.005"},{"key":"e_1_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2015.11.017"},{"key":"e_1_2_2_39_1","volume-title":"Proceedings of the 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT). 647\u2013652","author":"Atashzar H.","unstructured":"H. Atashzar , A. Torkaman , M. Bahrololum , and M. H. Tadayon . 2011. A survey on web application vulnerabilities and countermeasures . In Proceedings of the 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT). 647\u2013652 . H. Atashzar, A. Torkaman, M. Bahrololum, and M. H. Tadayon. 2011. A survey on web application vulnerabilities and countermeasures. In Proceedings of the 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT). 647\u2013652."},{"key":"e_1_2_2_40_1","doi-asserted-by":"crossref","unstructured":"Ana L. Hern\u00e1ndez-Saucedo and J. Mej\u00eda. 2015. Proposal of a hybrid process to manage vulnerabilities in web applications. In Advances in Intelligent Systems and Computing Trends and Applications in Software Engineering. Vol. 405. Springer Cham 59\u201369.  Ana L. Hern\u00e1ndez-Saucedo and J. Mej\u00eda. 2015. Proposal of a hybrid process to manage vulnerabilities in web applications. In Advances in Intelligent Systems and Computing Trends and Applications in Software Engineering. Vol. 405. Springer Cham 59\u201369.","DOI":"10.1007\/978-3-319-26285-7_6"},{"key":"e_1_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.12.013"},{"key":"e_1_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-010-9131-y"},{"key":"e_1_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1459352.1459357"},{"key":"e_1_2_2_44_1","volume-title":"Proceedings of the 28th International Conference on Software Engineering. ACM","author":"Budgen David","unstructured":"David Budgen and P. Brereton . 2006. Performing systematic literature reviews in software engineering . In Proceedings of the 28th International Conference on Software Engineering. ACM . New York, NY, 1051\u20131052. David Budgen and P. Brereton. 2006. Performing systematic literature reviews in software engineering. In Proceedings of the 28th International Conference on Software Engineering. ACM. New York, NY, 1051\u20131052."},{"key":"e_1_2_2_45_1","volume-title":"Proceedings of the 12th International Conference on Evaluation and Assessment in Software Engineering (EASE). 71\u20138.","author":"Petersen Kai","unstructured":"Kai Petersen , R. Feldt , S. Mujtaba , and M. Mattsson . 2008. Systematic mapping studies in software engineering . In Proceedings of the 12th International Conference on Evaluation and Assessment in Software Engineering (EASE). 71\u20138. Kai Petersen, R. Feldt, S. Mujtaba, and M. Mattsson. 2008. Systematic mapping studies in software engineering. In Proceedings of the 12th International Conference on Evaluation and Assessment in Software Engineering (EASE). 71\u20138."},{"key":"e_1_2_2_46_1","doi-asserted-by":"crossref","unstructured":"B. Kitchenham S. D. Budgen and P. Brereton. 2015. Evidence-based Software Engineering and Systematic Reviews. CRC Press.  B. Kitchenham S. D. Budgen and P. Brereton. 2015. Evidence-based Software Engineering and Systematic Reviews. CRC Press.","DOI":"10.1201\/b19467"},{"key":"e_1_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180235"},{"key":"e_1_2_2_48_1","volume-title":"Proceedings of the International Symposium on Empirical Software Engineering and Measurement. IEEE, 275\u2013284","author":"Cruzes D. S.","unstructured":"D. S. Cruzes and T. Dyba . 2011. Recommended steps for thematic synthesis in software engineering . In Proceedings of the International Symposium on Empirical Software Engineering and Measurement. IEEE, 275\u2013284 . D. S. Cruzes and T. Dyba. 2011. Recommended steps for thematic synthesis in software engineering. In Proceedings of the International Symposium on Empirical Software Engineering and Measurement. IEEE, 275\u2013284."},{"key":"e_1_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2017.05.038"},{"key":"e_1_2_2_50_1","volume-title":"Proceedings of the IEEE 7th International Conference on Software Security and Reliability (SERE). 188\u2013197","author":"Eshete B.","unstructured":"B. Eshete , A. Villafiorita , K. Weldemariam , and M. Zulkernine . 2013. Confeagle: Automated analysis of configuration vulnerabilities in web applications . In Proceedings of the IEEE 7th International Conference on Software Security and Reliability (SERE). 188\u2013197 . B. Eshete, A. Villafiorita, K. Weldemariam, and M. Zulkernine. 2013. Confeagle: Automated analysis of configuration vulnerabilities in web applications. In Proceedings of the IEEE 7th International Conference on Software Security and Reliability (SERE). 188\u2013197."},{"key":"e_1_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1186\/1678-4804-20-4"},{"key":"e_1_2_2_52_1","volume-title":"Proceedings of the 25th International Symposium on Software Testing and Analysis. 1\u20131.","author":"Medeiros I.","unstructured":"I. Medeiros , N. Neves , and M. Correia . 2016. DEKANT: A static analysis tool that learns to detect web application vulnerabilities . In Proceedings of the 25th International Symposium on Software Testing and Analysis. 1\u20131. I. Medeiros, N. Neves, and M. Correia. 2016. DEKANT: A static analysis tool that learns to detect web application vulnerabilities. In Proceedings of the 25th International Symposium on Software Testing and Analysis. 1\u20131."},{"key":"e_1_2_2_53_1","volume-title":"Proceedings of the Nordic Conference on Secure IT Systems. 31\u201346","author":"Jensen T.","unstructured":"T. Jensen , H. Pedersen , M. C. Olesen , and R. R. Hansen . 2012. THAPS: Automated vulnerability scanning of PHP applications . In Proceedings of the Nordic Conference on Secure IT Systems. 31\u201346 . T. Jensen, H. Pedersen, M. C. Olesen, and R. R. Hansen. 2012. THAPS: Automated vulnerability scanning of PHP applications. In Proceedings of the Nordic Conference on Secure IT Systems. 31\u201346."},{"key":"e_1_2_2_54_1","volume-title":"Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. IEEE, 25\u201332","author":"Monga Mattia","unstructured":"Mattia Monga , R. Paleari , and E. Passerini . 2009. A hybrid analysis framework for detecting web application vulnerabilities . In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. IEEE, 25\u201332 . Mattia Monga, R. Paleari, and E. Passerini. 2009. A hybrid analysis framework for detecting web application vulnerabilities. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. IEEE, 25\u201332."},{"key":"e_1_2_2_55_1","volume-title":"Proceedings of the 13th International Conference on Software Engineering. 171\u2013180","author":"Wassermann Gary","unstructured":"Gary Wassermann and Z. Su . 2008. Static detection of cross-site scripting vulnerabilities . In Proceedings of the 13th International Conference on Software Engineering. 171\u2013180 . Gary Wassermann and Z. Su. 2008. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 13th International Conference on Software Engineering. 171\u2013180."},{"key":"e_1_2_2_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2014.2373377"},{"key":"e_1_2_2_57_1","volume-title":"Proceedings of the 35th International Conference on Software Engineering (ICSE). 652\u201366","author":"Zheng Yunhui H.","unstructured":"Yunhui H. Zheng and X. Y. Zhang . 2013. Path sensitive static analysis of web applications for remote code execution vulnerability detection . In Proceedings of the 35th International Conference on Software Engineering (ICSE). 652\u201366 . Yunhui H. Zheng and X. Y. Zhang. 2013. Path sensitive static analysis of web applications for remote code execution vulnerability detection. In Proceedings of the 35th International Conference on Software Engineering (ICSE). 652\u201366."},{"key":"e_1_2_2_58_1","doi-asserted-by":"crossref","unstructured":"Shashank Gupta and B. B. Gupta. 2016. Enhanced XSS defensive framework for web applications deployed in the virtual machines of cloud computing environment. Procedia Technol. 24 (Jan. 2016) 1595\u20131602.  Shashank Gupta and B. B. Gupta. 2016. Enhanced XSS defensive framework for web applications deployed in the virtual machines of cloud computing environment. Procedia Technol. 24 (Jan. 2016) 1595\u20131602.","DOI":"10.1016\/j.protcy.2016.05.152"},{"key":"e_1_2_2_59_1","volume-title":"Proceedings of the 12th ACM International Conference on Computing Frontiers. 1\u20138.","author":"Gupta Shashank","unstructured":"Shashank Gupta and B. B. Gupta . 2015. PHP-sensor: A prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications . In Proceedings of the 12th ACM International Conference on Computing Frontiers. 1\u20138. Shashank Gupta and B. B. Gupta. 2015. PHP-sensor: A prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In Proceedings of the 12th ACM International Conference on Computing Frontiers. 1\u20138."},{"key":"e_1_2_2_60_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium.","author":"Dahse J.","unstructured":"J. Dahse and T. Holz . 2014. Static detection of second-order vulnerabilities in web applications . In Proceedings of the 23rd USENIX Security Symposium. J. Dahse and T. Holz. 2014. Static detection of second-order vulnerabilities in web applications. In Proceedings of the 23rd USENIX Security Symposium."},{"key":"e_1_2_2_61_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23262"},{"key":"e_1_2_2_62_1","volume-title":"Proceedings of the 27th Computer Security Applications Conference. 247\u2013256","author":"Li X.","unstructured":"X. Li and Y. Xue . 2011. BLOCK: A black-box approach for detection of state violation attacks towards web applications . In Proceedings of the 27th Computer Security Applications Conference. 247\u2013256 . X. Li and Y. Xue. 2011. BLOCK: A black-box approach for detection of state violation attacks towards web applications. In Proceedings of the 27th Computer Security Applications Conference. 247\u2013256."},{"key":"e_1_2_2_63_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10703-013-0189-1"},{"key":"e_1_2_2_64_1","volume-title":"Proceedings of the IEEE 31st International Conference on Software Engineering. 199\u201320","author":"Kieyzun Adam","unstructured":"Adam Kieyzun , P. J. Guo , K. Jayaraman , and M. D. Ernst . 2009. Automatic creation of SQL injection and cross-site scripting attacks . In Proceedings of the IEEE 31st International Conference on Software Engineering. 199\u201320 . Adam Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the IEEE 31st International Conference on Software Engineering. 199\u201320."},{"key":"e_1_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2013.04.002"},{"key":"e_1_2_2_66_1","volume-title":"Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 481\u2013486","author":"Li Xiaowei","unstructured":"Xiaowei Li and Y. Xue . 2013. LogicScope: Automatic discovery of logic vulnerabilities within web applications . In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 481\u2013486 . Xiaowei Li and Y. Xue. 2013. LogicScope: Automatic discovery of logic vulnerabilities within web applications. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 481\u2013486."},{"key":"e_1_2_2_67_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium.","author":"Sooel S.","unstructured":"S. Sooel , K. S. Mckinley , and S. Vitaly . 2013. Fix me up: Repairing access-control bugs in web applications . In Proceedings of the Network and Distributed System Security Symposium. S. Sooel, K. S. Mckinley, and S. Vitaly. 2013. Fix me up: Repairing access-control bugs in web applications. In Proceedings of the Network and Distributed System Security Symposium."},{"key":"e_1_2_2_68_1","volume-title":"Proceedings of the 20th USENIX Security Symposium.","author":"Sun F. Q.","unstructured":"F. Q. Sun , L. Xu , and Z. D. Su . 2011. Static detection of access control vulnerabilities in web applications . In Proceedings of the 20th USENIX Security Symposium. F. Q. Sun, L. Xu, and Z. D. Su. 2011. Static detection of access control vulnerabilities in web applications. In Proceedings of the 20th USENIX Security Symposium."},{"key":"e_1_2_2_69_1","volume-title":"Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, 1\u201313","author":"Shmatikov S. S. V.","year":"2011","unstructured":"S. S. V. Shmatikov . 2011 . SAFERPHP: Finding semantic vulnerabilities in PHP applications . In Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, 1\u201313 . S. S. V. Shmatikov. 2011. SAFERPHP: Finding semantic vulnerabilities in PHP applications. In Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, 1\u201313."},{"key":"e_1_2_2_70_1","volume-title":"Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 25\u20133.","author":"Li Xiaowei","unstructured":"Xiaowei Li , W. Yan , and Y. Xue . 2012. SENTINEL: securing database from logic flaws in web applications . In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 25\u20133. Xiaowei Li, W. Yan, and Y. Xue. 2012. SENTINEL: securing database from logic flaws in web applications. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 25\u20133."},{"key":"e_1_2_2_71_1","volume-title":"Proceedings of the 34th International Conference on Software Engineering (ICSE). 749\u2013759","author":"Moller Anders","unstructured":"Anders Moller and M. Schwarz . 2012. Automated detection of client-state manipulation vulnerabilities . In Proceedings of the 34th International Conference on Software Engineering (ICSE). 749\u2013759 . Anders Moller and M. Schwarz. 2012. Automated detection of client-state manipulation vulnerabilities. In Proceedings of the 34th International Conference on Software Engineering (ICSE). 749\u2013759."},{"key":"e_1_2_2_72_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2007.70748"},{"key":"e_1_2_2_73_1","volume-title":"Proceedings of the 20th IEEE\/ACM International Conference on Automated Software Engineering. 174\u2013183","author":"Halfond William G. J.","unstructured":"William G. J. Halfond and A. Orso . 2005. Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks . In Proceedings of the 20th IEEE\/ACM International Conference on Automated Software Engineering. 174\u2013183 . William G. J. Halfond and A. Orso. 2005. Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE\/ACM International Conference on Automated Software Engineering. 174\u2013183."},{"key":"e_1_2_2_74_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2018.01.008"},{"key":"e_1_2_2_75_1","first-page":"1","article-title":"Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications","volume":"17","author":"Deepa G.","year":"2017","unstructured":"G. Deepa , P. S. Thilagam , F. A. Khan , A. Praseed , A. R. Pais , and N. Palsetia . 2017 . Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications . Int. J. Inf. Secur. 17 , 1 (Feb. 2018), 105\u2013120. G. Deepa, P. S. Thilagam, F. A. Khan, A. Praseed, A. R. Pais, and N. Palsetia. 2017. Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications. Int. J. Inf. Secur. 17, 1 (Feb. 2018), 105\u2013120.","journal-title":"Int. J. Inf. Secur."},{"key":"e_1_2_2_76_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2011.12.006"},{"key":"e_1_2_2_77_1","first-page":"4","article-title":"Auditing the XSS defence features implemented in web application programs","volume":"6","author":"Shar L. K.","year":"2012","unstructured":"L. K. Shar and H. B. K. Tan . 2012 . Auditing the XSS defence features implemented in web application programs . IEEE Softw. 6 , 4 (Aug. 2012). L. K. Shar and H. B. K. Tan. 2012. Auditing the XSS defence features implemented in web application programs. IEEE Softw. 6, 4 (Aug. 2012).","journal-title":"IEEE Softw."},{"key":"e_1_2_2_78_1","doi-asserted-by":"publisher","DOI":"10.1145\/1698750.1698754"},{"key":"e_1_2_2_79_1","volume-title":"Proceedings of the 17th USENIX Security Symposium. USENIX Association, 31\u201343","author":"Martin M.","unstructured":"M. Martin and M. S. Lam . 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking . In Proceedings of the 17th USENIX Security Symposium. USENIX Association, 31\u201343 . M. Martin and M. S. Lam. 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In Proceedings of the 17th USENIX Security Symposium. USENIX Association, 31\u201343."},{"key":"e_1_2_2_80_1","volume-title":"Proceedings of the International Symposium on Software Testing and Analysis. 56\u201366","author":"Alkhalaf M.","unstructured":"M. Alkhalaf , S. R. Choudhary , M. Fazzini , T. Bultan , A. Orso , and C. Kruegel . 2012. Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies . In Proceedings of the International Symposium on Software Testing and Analysis. 56\u201366 . M. Alkhalaf, S. R. Choudhary, M. Fazzini, T. Bultan, A. Orso, and C. Kruegel. 2012. Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies. In Proceedings of the International Symposium on Software Testing and Analysis. 56\u201366."},{"key":"e_1_2_2_81_1","volume-title":"Proceedings of the IEEE 4th International Conference on Software Engineering and Service Science. 89\u201392","author":"Binbin Q.","unstructured":"Q. Binbin , L. Beihai , J. Sheng , and Y. Chutian . 2013. Design of automatic vulnerability detection system for web application program . In Proceedings of the IEEE 4th International Conference on Software Engineering and Service Science. 89\u201392 . Q. Binbin, L. Beihai, J. Sheng, and Y. Chutian. 2013. Design of automatic vulnerability detection system for web application program. In Proceedings of the IEEE 4th International Conference on Software Engineering and Service Science. 89\u201392."},{"key":"e_1_2_2_82_1","volume-title":"Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1232\u20131243","author":"Trinh Minh-Thai T.","unstructured":"Minh-Thai T. Trinh , D.-H. H. Chu , and J. Jaffar . 2014. S3: A symbolic string solver for vulnerability detection in web applications . In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1232\u20131243 . Minh-Thai T. Trinh, D.-H. H. Chu, and J. Jaffar. 2014. S3: A symbolic string solver for vulnerability detection in web applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1232\u20131243."},{"key":"e_1_2_2_83_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.04.007"},{"key":"e_1_2_2_84_1","volume-title":"Proceedings of IEEE 37th Computer Software and Applications Conference.256\u2013261","author":"Lei L.","unstructured":"L. Lei , X. Jing , L. Minglei , and Y. Jufeng . 2013. A dynamic SQL injection vulnerability test case generation model based on the multiple phases detection approach . In Proceedings of IEEE 37th Computer Software and Applications Conference.256\u2013261 . L. Lei, X. Jing, L. Minglei, and Y. Jufeng. 2013. A dynamic SQL injection vulnerability test case generation model based on the multiple phases detection approach. In Proceedings of IEEE 37th Computer Software and Applications Conference.256\u2013261."},{"key":"e_1_2_2_85_1","volume-title":"Proceedings of International Conference on Mechanical, Electronic, Control and Automation Engineering. 150\u2013155","author":"He H.","unstructured":"H. He , L. L. Chen , and W. P. Guo . 2017. Research on web application vulnerability scanning system based on fingerprint feature . In Proceedings of International Conference on Mechanical, Electronic, Control and Automation Engineering. 150\u2013155 . H. He, L. L. Chen, and W. P. Guo. 2017. Research on web application vulnerability scanning system based on fingerprint feature. In Proceedings of International Conference on Mechanical, Electronic, Control and Automation Engineering. 150\u2013155."},{"key":"e_1_2_2_86_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45243-2_34"},{"key":"e_1_2_2_87_1","volume-title":"Proceedings of the 31st ACM Symposium on Applied Computing. 801\u2013807","author":"Shahriar Hossain","unstructured":"Hossain Shahriar and H. Haddad . 2016. Object injection vulnerability discovery based on latent semantic indexing . In Proceedings of the 31st ACM Symposium on Applied Computing. 801\u2013807 . Hossain Shahriar and H. Haddad. 2016. Object injection vulnerability discovery based on latent semantic indexing. In Proceedings of the 31st ACM Symposium on Applied Computing. 801\u2013807."},{"key":"e_1_2_2_88_1","volume-title":"Proceedings of the 19th USENIX Conference on Security.","author":"Felmetsger V.","unstructured":"V. Felmetsger , L. Cavedon , C. Kruegel , and G. Vigna . 2010. Toward automated detection of logic vulnerabilities in web applications . In Proceedings of the 19th USENIX Conference on Security. V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. 2010. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Conference on Security."},{"key":"e_1_2_2_89_1","volume-title":"Network and Distributed System Security Symposium. SanDiego, CA, USA.","author":"Pellegrino Giancarlo","unstructured":"Giancarlo Pellegrino and D. Balzarotti . 2014. Toward black-box detection of logic flaws in web applications . In Network and Distributed System Security Symposium. SanDiego, CA, USA. Giancarlo Pellegrino and D. Balzarotti. 2014. Toward black-box detection of logic flaws in web applications. In Network and Distributed System Security Symposium. SanDiego, CA, USA."},{"key":"e_1_2_2_90_1","volume-title":"HDTCV: Hybrid detection technique for clickjacking vulnerability. In Advances in Intelligent Systems and Computing, Artificial Intelligence and Evolutionary Computations in Engineering Systems","author":"Kavitha D.","year":"2016","unstructured":"D. Kavitha , S. Chandrasekaran , and S. K. Rani . 2016 . HDTCV: Hybrid detection technique for clickjacking vulnerability. In Advances in Intelligent Systems and Computing, Artificial Intelligence and Evolutionary Computations in Engineering Systems , Vol. 394 . Springer New Delhi , 607\u2013620. D. Kavitha, S. Chandrasekaran, and S. K. Rani. 2016. HDTCV: Hybrid detection technique for clickjacking vulnerability. In Advances in Intelligent Systems and Computing, Artificial Intelligence and Evolutionary Computations in Engineering Systems, Vol. 394. Springer New Delhi, 607\u2013620."},{"key":"e_1_2_2_91_1","volume-title":"Proceedings of the International Conference on Contemporary Computing and Informatics (IC3I). 702\u2013706","author":"Sunkari Venkatramulu","unstructured":"Venkatramulu Sunkari and C. V. Guru Rao . 2014. Preventing input type validation vulnerabilities using network based intrusion detection systems . In Proceedings of the International Conference on Contemporary Computing and Informatics (IC3I). 702\u2013706 . Venkatramulu Sunkari and C. V. Guru Rao. 2014. Preventing input type validation vulnerabilities using network based intrusion detection systems. In Proceedings of the International Conference on Contemporary Computing and Informatics (IC3I). 702\u2013706."},{"key":"e_1_2_2_92_1","volume-title":"Proceedings of the 2nd IEEE International Conference on Computer and Communications (ICCC). 1171\u20131175","author":"Lei L.","unstructured":"L. Lei , X. Jing , G. Chenkai , K. Jiehui , X. Sihan , and Z. Biao . 2016. Exposing SQL injection vulnerability through penetration test based on finite state machine . In Proceedings of the 2nd IEEE International Conference on Computer and Communications (ICCC). 1171\u20131175 . L. Lei, X. Jing, G. Chenkai, K. Jiehui, X. Sihan, and Z. Biao. 2016. Exposing SQL injection vulnerability through penetration test based on finite state machine. In Proceedings of the 2nd IEEE International Conference on Computer and Communications (ICCC). 1171\u20131175."},{"key":"e_1_2_2_93_1","volume-title":"Proceedings of the IEEE 40th Computer Software and Applications Conference (COMPSAC). 123\u2013132","author":"Lei Liuet","year":"2016","unstructured":"Lei Liuet al. 2016 . An effective penetration test approach based on feature matrix for exposing SQL injection vulnerability . In Proceedings of the IEEE 40th Computer Software and Applications Conference (COMPSAC). 123\u2013132 . Lei Liuet al. 2016. An effective penetration test approach based on feature matrix for exposing SQL injection vulnerability. In Proceedings of the IEEE 40th Computer Software and Applications Conference (COMPSAC). 123\u2013132."},{"key":"e_1_2_2_94_1","volume-title":"Proceedings of the 10th International Conference on Information Technology: New Generations. IEEE, 633\u2013638","author":"Ruse Michelle E.","unstructured":"Michelle E. Ruse and S. Basu . 2013. Detecting cross-site scripting vulnerability using concolic testing . In Proceedings of the 10th International Conference on Information Technology: New Generations. IEEE, 633\u2013638 . Michelle E. Ruse and S. Basu. 2013. Detecting cross-site scripting vulnerability using concolic testing. In Proceedings of the 10th International Conference on Information Technology: New Generations. IEEE, 633\u2013638."},{"key":"e_1_2_2_95_1","volume-title":"Proceedings of the IEEE 36th Computer Software and Applications Conference. 233\u2013243","author":"Scholte T.","unstructured":"T. Scholte , W. Robertson , D. Balzarotti , and E. Kirda . 2012. Preventing input validation vulnerabilities in web applications through automated type analysis . In Proceedings of the IEEE 36th Computer Software and Applications Conference. 233\u2013243 . T. Scholte, W. Robertson, D. Balzarotti, and E. Kirda. 2012. Preventing input validation vulnerabilities in web applications through automated type analysis. In Proceedings of the IEEE 36th Computer Software and Applications Conference. 233\u2013243."},{"key":"e_1_2_2_96_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.mcm.2011.01.050"},{"key":"e_1_2_2_97_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2010.114"},{"key":"e_1_2_2_98_1","volume-title":"Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. 49\u201360","author":"Li Xiaowei","unstructured":"Xiaowei Li , X. Si , and Y. Xue . 2014. Automated black-box detection of access control vulnerabilities in web applications . In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. 49\u201360 . Xiaowei Li, X. Si, and Y. Xue. 2014. Automated black-box detection of access control vulnerabilities in web applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. 49\u201360."},{"key":"e_1_2_2_99_1","doi-asserted-by":"crossref","unstructured":"Cheng Huang J. Y. Liu Y. Fang and Z. Zuo. 2016. A study on web security incidents in China by analyzing vulnerability disclosure platforms. Comput. Secur. 58 (May 2016) 47\u201362.  Cheng Huang J. Y. Liu Y. Fang and Z. Zuo. 2016. A study on web security incidents in China by analyzing vulnerability disclosure platforms. Comput. Secur. 58 (May 2016) 47\u201362.","DOI":"10.1016\/j.cose.2015.11.006"},{"key":"e_1_2_2_100_1","volume-title":"Proceedings of the IEEE International Conference on Wireless Communications, Signal Processing and Networking (Wispnet). 221\u2013227","author":"Vithanage Nisal M.","unstructured":"Nisal M. Vithanage and N. Jeyamohan . 2016. Webguardia\u2014An integrated penetration testing system to detect web application vulnerabilities . In Proceedings of the IEEE International Conference on Wireless Communications, Signal Processing and Networking (Wispnet). 221\u2013227 . Nisal M. Vithanage and N. Jeyamohan. 2016. Webguardia\u2014An integrated penetration testing system to detect web application vulnerabilities. In Proceedings of the IEEE International Conference on Wireless Communications, Signal Processing and Networking (Wispnet). 221\u2013227."},{"key":"e_1_2_2_101_1","volume-title":"Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS\u201910)","author":"Zhang K. H.","unstructured":"K. H. Zhang , Z. Li , R. Wang , X. F. Wang , and S. Chen . 2010. SideBuster: Automated detection and quantification of side-channel leaks in web application development . In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS\u201910) . 595\u2013606. K. H. Zhang, Z. Li, R. Wang, X. F. Wang, and S. Chen. 2010. SideBuster: Automated detection and quantification of side-channel leaks in web application development. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS\u201910). 595\u2013606."},{"key":"e_1_2_2_102_1","volume-title":"Proceedings of the 18th ACM Conference on Computer and Communications Security. 263\u2013274","author":"Chapman Peter","unstructured":"Peter Chapman and D. Evans . 2011. Automated black-box detection of side-channel vulnerabilities in web applications . In Proceedings of the 18th ACM Conference on Computer and Communications Security. 263\u2013274 . Peter Chapman and D. Evans. 2011. Automated black-box detection of side-channel vulnerabilities in web applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security. 263\u2013274."},{"key":"e_1_2_2_103_1","first-page":"8","article-title":"A systematic mapping study of web application testing","volume":"55","author":"Vahid Garousiet","year":"2013","unstructured":"Vahid Garousiet al. 2013 . A systematic mapping study of web application testing . Inf. Softw. Technol. 55 , 8 (Aug.2013), 1374\u20131396. Vahid Garousiet al. 2013. A systematic mapping study of web application testing. Inf. Softw. Technol. 55, 8 (Aug.2013), 1374\u20131396.","journal-title":"Inf. Softw. Technol."},{"key":"e_1_2_2_104_1","doi-asserted-by":"publisher","DOI":"10.5555\/1687229.1687231"},{"key":"e_1_2_2_105_1","volume-title":"Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 690\u2013701","author":"Monshizadeh Maliheh","unstructured":"Maliheh Monshizadeh , P. Naldurg , and V. N. Venkatakrishnan . 2014. MACE: Detecting privilege escalation vulnerabilities in web applications . In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 690\u2013701 . Maliheh Monshizadeh, P. Naldurg, and V. N. Venkatakrishnan. 2014. MACE: Detecting privilege escalation vulnerabilities in web applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 690\u2013701."},{"key":"e_1_2_2_106_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2013.08.001"},{"key":"e_1_2_2_107_1","volume-title":"Proceedings of the 35th International Conference on Software Engineering (ICSE). IEEE, 642\u2013651","author":"Shar Lwin K.","unstructured":"Lwin K. Shar , H. Beng Kuan Tan, and L. C. Briand. 2013. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis . In Proceedings of the 35th International Conference on Software Engineering (ICSE). IEEE, 642\u2013651 . Lwin K. Shar, H. Beng Kuan Tan, and L. C. Briand. 2013. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. In Proceedings of the 35th International Conference on Software Engineering (ICSE). IEEE, 642\u2013651."},{"key":"e_1_2_2_108_1","volume-title":"Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS\u201911)","author":"Doup\u00e9 Adam","unstructured":"Adam Doup\u00e9 , B. Boe , C. Kruegel , and G. Vigna . 2011. Fear the EAR . In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS\u201911) . 251\u2013261. Adam Doup\u00e9, B. Boe, C. Kruegel, and G. Vigna. 2011. Fear the EAR. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS\u201911). 251\u2013261."},{"key":"e_1_2_2_109_1","volume-title":"Proceedings of the 18th ACM Conference on Computer & Communications Security (CCS\u201911)","author":"Bisht Prithvi","unstructured":"Prithvi Bisht , T. Hinrichs , N. Skrupsky , and V. N. Venkatakrishnan . 2011. WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction . In Proceedings of the 18th ACM Conference on Computer & Communications Security (CCS\u201911) . 575\u2013586. Prithvi Bisht, T. Hinrichs, N. Skrupsky, and V. N. Venkatakrishnan. 2011. WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction. In Proceedings of the 18th ACM Conference on Computer & Communications Security (CCS\u201911). 575\u2013586."},{"key":"e_1_2_2_110_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-016-0334-0"},{"key":"e_1_2_2_111_1","volume-title":"Proceedings of the International Conference on Cyber-enabled Distributed Computing and Knowledge Discovery. 29\u201336","author":"Guo Xiaobing","unstructured":"Xiaobing Guo , S. Jin , and Y. Zhang . 2015. XSS vulnerability detection using optimized attack vector repertory . In Proceedings of the International Conference on Cyber-enabled Distributed Computing and Knowledge Discovery. 29\u201336 . Xiaobing Guo, S. Jin, and Y. Zhang. 2015. XSS vulnerability detection using optimized attack vector repertory. In Proceedings of the International Conference on Cyber-enabled Distributed Computing and Knowledge Discovery. 29\u201336."},{"key":"e_1_2_2_112_1","volume-title":"Proceedings of the 9th Malaysian Software Engineering Conference (MySEC). 224\u201322","author":"Aliero Muhammmad S.","unstructured":"Muhammmad S. Aliero , and I. Ghani . 2015. A component based SQL injection vulnerability detection tool . In Proceedings of the 9th Malaysian Software Engineering Conference (MySEC). 224\u201322 . Muhammmad S. Aliero, and I. Ghani. 2015. A component based SQL injection vulnerability detection tool. In Proceedings of the 9th Malaysian Software Engineering Conference (MySEC). 224\u201322."},{"key":"e_1_2_2_113_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICoIA.2013.6650259"},{"key":"e_1_2_2_114_1","volume-title":"Proceedings of the 1st International Conference on Recent Advances in Information Technology (RAIT). 585\u2013590","author":"Singh A. K.","unstructured":"A. K. Singh and S. Roy . 2012. A network based vulnerability scanner for detecting SQLI attacks in web applications . In Proceedings of the 1st International Conference on Recent Advances in Information Technology (RAIT). 585\u2013590 . A. K. Singh and S. Roy. 2012. A network based vulnerability scanner for detecting SQLI attacks in web applications. In Proceedings of the 1st International Conference on Recent Advances in Information Technology (RAIT). 585\u2013590."},{"key":"e_1_2_2_115_1","first-page":"327","article-title":"SQLIVD\u2014AOP: Preventing SQL injection vulnerabilities using aspect oriented Programming through web services","volume":"169","author":"Shanmughaneethi V.","year":"2011","unstructured":"V. Shanmughaneethi , R. Y. Pravin , C. E. Shyni , and S. Swamynathan . 2011 . SQLIVD\u2014AOP: Preventing SQL injection vulnerabilities using aspect oriented Programming through web services . High-perform. Archit. Grid Comput. 169 (2011), 327 \u2013 337 . V. Shanmughaneethi, R. Y. Pravin, C. E. Shyni, and S. Swamynathan. 2011. SQLIVD\u2014AOP: Preventing SQL injection vulnerabilities using aspect oriented Programming through web services. High-perform. Archit. Grid Comput. 169 (2011), 327\u2013337.","journal-title":"High-perform. Archit. Grid Comput."},{"key":"e_1_2_2_116_1","volume-title":"Proceedings of the International Conference on Computer Science and Network Technology. 935\u2013938","author":"Wu H. Y.","unstructured":"H. Y. Wu , G. Z. Gao , and C. Y. Miao . 2011. Test SQL injection vulnerabilities in web applications based on structure matching . In Proceedings of the International Conference on Computer Science and Network Technology. 935\u2013938 . H. Y. Wu, G. Z. Gao, and C. Y. Miao. 2011. Test SQL injection vulnerabilities in web applications based on structure matching. In Proceedings of the International Conference on Computer Science and Network Technology. 935\u2013938."},{"key":"e_1_2_2_117_1","volume-title":"Proceedings of the 5th International Conference on Software Engineering Advances. 501\u2013507","author":"Zhang L.","unstructured":"L. Zhang , Q. Gu , S. Peng , X. Chen , H. Zhao , and D. Chen . 2010. D-WAV: A web application vulnerabilities detection tool using characteristics of web forms . In Proceedings of the 5th International Conference on Software Engineering Advances. 501\u2013507 . L. Zhang, Q. Gu, S. Peng, X. Chen, H. Zhao, and D. Chen. 2010. D-WAV: A web application vulnerabilities detection tool using characteristics of web forms. In Proceedings of the 5th International Conference on Software Engineering Advances. 501\u2013507."},{"key":"e_1_2_2_118_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2010.07.007"},{"key":"e_1_2_2_119_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSYM.2010.5685537"},{"key":"e_1_2_2_120_1","volume-title":"Proceedings of the NDSS Symposium.","author":"Balduzzi M.","unstructured":"M. Balduzzi , C. Gimenez , D. Balzarotti , and E. Kirda . 2011. Automated discovery of parameter pollution vulnerabilities in web applications . In Proceedings of the NDSS Symposium. M. Balduzzi, C. Gimenez, D. Balzarotti, and E. Kirda. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the NDSS Symposium."},{"key":"e_1_2_2_121_1","volume-title":"Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS\u201910)","author":"Bisht Prithvi","unstructured":"Prithvi Bisht , T. Hinrichs , N. Skrupsky , R. Bobrowicz , and V. N. Venkatakrishnan . 2010. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications . In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS\u201910) . 607\u2013618. Prithvi Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. 2010. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS\u201910). 607\u2013618."},{"key":"e_1_2_2_122_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. 387\u2013401","author":"Balzarotti Davide","unstructured":"Davide Balzarotti , M. Cova , V. Felmetsger , N. Jovanovic , E. Kirda , C. Kruegel , and G. Vigna . 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications . In Proceedings of the IEEE Symposium on Security and Privacy. 387\u2013401 . Davide Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the IEEE Symposium on Security and Privacy. 387\u2013401."},{"key":"e_1_2_2_123_1","volume-title":"Proceedings of the International Conference on Promising Electronic Technologies (ICPET). IEEE, 26\u201331","author":"Marashdih Abdalla W.","unstructured":"Abdalla W. Marashdih and Z. F. Zaaba . 2017. Detection and removing cross site scripting vulnerability in PHP web application . In Proceedings of the International Conference on Promising Electronic Technologies (ICPET). IEEE, 26\u201331 . Abdalla W. Marashdih and Z. F. Zaaba. 2017. Detection and removing cross site scripting vulnerability in PHP web application. In Proceedings of the International Conference on Promising Electronic Technologies (ICPET). IEEE, 26\u201331."},{"key":"e_1_2_2_124_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2009.09.037"},{"key":"e_1_2_2_125_1","volume-title":"Proceedings of the IEEE International Conference on Services Computing. 104\u2013111","author":"Antunes Nuno","unstructured":"Nuno Antunes and M. Vieira . 2011. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services . In Proceedings of the IEEE International Conference on Services Computing. 104\u2013111 . Nuno Antunes and M. Vieira. 2011. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In Proceedings of the IEEE International Conference on Services Computing. 104\u2013111."},{"key":"e_1_2_2_126_1","volume-title":"Proceedings of the 9th Joint Meeting on Foundations of Software Engineering. 114\u2013124","author":"Zheng Yunhui","unstructured":"Yunhui Zheng , X. Zhang , and V. Ganesh . 2013. Z3-Str: A Z3-based string solver for web application analysis . In Proceedings of the 9th Joint Meeting on Foundations of Software Engineering. 114\u2013124 . Yunhui Zheng, X. Zhang, and V. Ganesh. 2013. Z3-Str: A Z3-based string solver for web application analysis. In Proceedings of the 9th Joint Meeting on Foundations of Software Engineering. 114\u2013124."},{"key":"e_1_2_2_127_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-21690-4_14"},{"key":"e_1_2_2_128_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-21690-4_29"},{"key":"e_1_2_2_129_1","volume-title":"RAJIVE: Restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications. Int. J. Innov. Comput. Appl. 9","author":"Gupta S.","year":"2018","unstructured":"S. Gupta and B. B. Gupta . 2018 . RAJIVE: Restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications. Int. J. Innov. Comput. Appl. 9 , (2018), 13\u201336. S. Gupta and B. B. Gupta. 2018. RAJIVE: Restricting the abuse of JavaScript injection vulnerabilities on cloud data centre by sensing the violation in expected workflow of web applications. Int. J. Innov. Comput. Appl. 9, (2018), 13\u201336."},{"key":"e_1_2_2_130_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2015.11.004"},{"key":"e_1_2_2_131_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2015.11.001"},{"key":"e_1_2_2_132_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2015.03.078"},{"key":"e_1_2_2_133_1","volume-title":"Proceedings of the IEEE\/ACM 37th IEEE International Conference on Software Engineering. 598\u2013608","author":"Caitlin Sadowskiet","year":"2015","unstructured":"Caitlin Sadowskiet al. 2015 . Tricorder: Building a program analysis ecosystem . In Proceedings of the IEEE\/ACM 37th IEEE International Conference on Software Engineering. 598\u2013608 . Caitlin Sadowskiet al. 2015. Tricorder: Building a program analysis ecosystem. In Proceedings of the IEEE\/ACM 37th IEEE International Conference on Software Engineering. 598\u2013608."},{"key":"e_1_2_2_134_1","volume-title":"Proceedings of the 35th International Conference on Software Engineering (ICSE). 672\u2013681","author":"Johnson Brittany","unstructured":"Brittany Johnson , Y. Song , E. Murphy-Hill , and R. Bowdidge . 2013. Why don\u2019t software developers use static analysis tools to find bugs? In Proceedings of the 35th International Conference on Software Engineering (ICSE). 672\u2013681 . Brittany Johnson, Y. Song, E. Murphy-Hill, and R. Bowdidge. 2013. Why don\u2019t software developers use static analysis tools to find bugs? In Proceedings of the 35th International Conference on Software Engineering (ICSE). 672\u2013681."},{"key":"e_1_2_2_135_1","first-page":"604","article-title":"SQLIPA: An authentication mechanism against SQL injection","volume":"38","author":"Ali S.","year":"2009","unstructured":"S. Ali , S. K. Shahzad , and H. Javed . 2009 . SQLIPA: An authentication mechanism against SQL injection . Eur. J. Sci. Res. 38 (2009), 604 \u2013 611 . S. Ali, S. K. Shahzad, and H. Javed. 2009. SQLIPA: An authentication mechanism against SQL injection. Eur. J. Sci. Res. 38 (2009), 604\u2013611.","journal-title":"Eur. J. Sci. Res."},{"key":"e_1_2_2_136_1","volume-title":"SQLProb. In Proceedings of the ACM Symposium on Applied Computing. 2054\u20132061","author":"Liu Anyi","unstructured":"Anyi Liu , Y. Yuan , D. Wijesekera , and A. Stavrou . 2009 . SQLProb. In Proceedings of the ACM Symposium on Applied Computing. 2054\u20132061 . Anyi Liu, Y. Yuan, D. Wijesekera, and A. Stavrou. 2009. SQLProb. In Proceedings of the ACM Symposium on Applied Computing. 2054\u20132061."},{"key":"e_1_2_2_137_1","doi-asserted-by":"publisher","DOI":"10.1109\/ITNG.2009.34"},{"key":"e_1_2_2_138_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10009-017-0472-3"},{"key":"e_1_2_2_139_1","first-page":"473","article-title":"Predicting web vulnerabilities in web applications based on machine learning","volume":"932","author":"Khalid Muhammad N.","year":"2019","unstructured":"Muhammad N. Khalid , H. Farooq , M. Iqbal , M. T. Alam , and K. Rasheed . 2019 . Predicting web vulnerabilities in web applications based on machine learning . Commun. Comput. Inf. Sci. 932 (2019), 473 \u2013 484 . Muhammad N. Khalid, H. Farooq, M. Iqbal, M. T. Alam, and K. Rasheed. 2019. Predicting web vulnerabilities in web applications based on machine learning. Commun. Comput. Inf. Sci. 932 (2019), 473\u2013484.","journal-title":"Commun. Comput. Inf. Sci."},{"key":"e_1_2_2_140_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2019.2900007"},{"key":"e_1_2_2_141_1","doi-asserted-by":"crossref","unstructured":"D. Ying Z. Yuqing M. Hua W. Qianru L. Qixu W. Kai and W. Wenjie. 2018. An adaptive system for detecting malicious queries in web attacks. Sci. China Inf. Sci. 61 3 (2018).  D. Ying Z. Yuqing M. Hua W. Qianru L. Qixu W. Kai and W. Wenjie. 2018. An adaptive system for detecting malicious queries in web attacks. Sci. China Inf. Sci. 61 3 (2018).","DOI":"10.1007\/s11432-017-9288-4"},{"key":"e_1_2_2_142_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2844343"},{"key":"e_1_2_2_143_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11042-016-3735-1"},{"key":"e_1_2_2_144_1","volume-title":"Proceedings of the 4th International Conference on Computing Communication Control and Automation (ICCUBEA). 1\u20135.","author":"Patil Vaibhav","unstructured":"Vaibhav Patil , P. Thakkar , C. Shah , T. Bhat , and S. P. Godse . 2018. Detection and prevention of phishing websites using machine learning approach . In Proceedings of the 4th International Conference on Computing Communication Control and Automation (ICCUBEA). 1\u20135. Vaibhav Patil, P. Thakkar, C. Shah, T. Bhat, and S. P. Godse. 2018. Detection and prevention of phishing websites using machine learning approach. In Proceedings of the 4th International Conference on Computing Communication Control and Automation (ICCUBEA). 1\u20135."},{"key":"e_1_2_2_145_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2018.08.227"},{"key":"e_1_2_2_146_1","unstructured":"Mukesh K. Gupta M. C. Govil and G. Singh. 2018. Text-mining and pattern-matching based prediction models for detecting vulnerable files in web applications. Journal of Web Engineering. 171&2 (2018) 28\u201344.  Mukesh K. Gupta M. C. Govil and G. Singh. 2018. Text-mining and pattern-matching based prediction models for detecting vulnerable files in web applications. Journal of Web Engineering. 171&2 (2018) 28\u201344."},{"key":"e_1_2_2_147_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-018-0423-3"},{"key":"e_1_2_2_148_1","volume-title":"Proceedings of the IEEE 41st Computer Software and Applications Conference (COMPSAC). 578\u2013583","author":"Li P.","unstructured":"P. Li , L. Liu , J. Xu , H. Yang , L. Yuan , C. Guo , and X. Ji . 2017. Application of hidden Markov model in SQL injection detection . In Proceedings of the IEEE 41st Computer Software and Applications Conference (COMPSAC). 578\u2013583 . P. Li, L. Liu, J. Xu, H. Yang, L. Yuan, C. Guo, and X. Ji. 2017. Application of hidden Markov model in SQL injection detection. In Proceedings of the IEEE 41st Computer Software and Applications Conference (COMPSAC). 578\u2013583."},{"key":"e_1_2_2_149_1","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-160554"},{"key":"e_1_2_2_150_1","volume-title":"Proceedings of the 9th International Conference on Information Technology: New Generations. 189\u2013194","author":"Agosta Giovanni","unstructured":"Giovanni Agosta , A. Barenghi , A. Parata , and G. Pelosi . 2012. Automated security analysis of dynamic web applications through symbolic code execution . In Proceedings of the 9th International Conference on Information Technology: New Generations. 189\u2013194 . Giovanni Agosta, A. Barenghi, A. Parata, and G. Pelosi. 2012. Automated security analysis of dynamic web applications through symbolic code execution. In Proceedings of the 9th International Conference on Information Technology: New Generations. 189\u2013194."},{"key":"e_1_2_2_151_1","volume-title":"Proceedings of the IEEE 39th Computer Software and Applications Conference. 525\u2013532","author":"Zhong Y.","unstructured":"Y. Zhong , H. Asakura , H. Takakura , and Y. Oshima . 2015. Detecting malicious inputs of web application parameters using character class sequences . In Proceedings of the IEEE 39th Computer Software and Applications Conference. 525\u2013532 . Y. Zhong, H. Asakura, H. Takakura, and Y. Oshima. 2015. Detecting malicious inputs of web application parameters using character class sequences. In Proceedings of the IEEE 39th Computer Software and Applications Conference. 525\u2013532."},{"key":"e_1_2_2_152_1","volume-title":"Proclick. In Proceedings of the 6th International Conference on Security of Information and Networks. 144\u2013151","author":"Shahriar Hossain","unstructured":"Hossain Shahriar , V. K. Devendran , and H. Haddad . 2013 . Proclick. In Proceedings of the 6th International Conference on Security of Information and Networks. 144\u2013151 . Hossain Shahriar, V. K. Devendran, and H. Haddad. 2013. Proclick. In Proceedings of the 6th International Conference on Security of Information and Networks. 144\u2013151."},{"key":"e_1_2_2_153_1","volume-title":"Proceedings of the 6th International Conference on Security of Information and Networks. 167\u2013177","author":"Ceccato M.","unstructured":"M. Ceccato , C. D. Nguyen , D. Appelt , and L. C. Briand . 2016. SOFIA: An automated security oracle for black-box testing of SQL-injection vulnerabilities . In Proceedings of the 6th International Conference on Security of Information and Networks. 167\u2013177 . M. Ceccato, C. D. Nguyen, D. Appelt, and L. C. Briand. 2016. SOFIA: An automated security oracle for black-box testing of SQL-injection vulnerabilities. In Proceedings of the 6th International Conference on Security of Information and Networks. 167\u2013177."},{"key":"e_1_2_2_154_1","doi-asserted-by":"publisher","DOI":"10.1007\/s13369-015-1891-7"},{"key":"e_1_2_2_155_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2019.2910285"},{"key":"e_1_2_2_156_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2011.103"},{"key":"e_1_2_2_157_1","volume-title":"Proceedings of the IEEE International Conference on Software Testing, Verification and Validation. 409\u2013415","author":"Bertrand S.","unstructured":"S. Bertrand and E. Fong . 2016. Large scale generation of complex and faulty PHP test cases . In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation. 409\u2013415 . S. Bertrand and E. Fong. 2016. Large scale generation of complex and faulty PHP test cases. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation. 409\u2013415."},{"key":"e_1_2_2_158_1","volume-title":"Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST). 154\u2013157","author":"Yu Fang","unstructured":"Fang Yu , M. Alkhalaf , and T. Bultan . 2010. Stranger: An automata-based string analysis tool for PHP . In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST). 154\u2013157 . Fang Yu, M. Alkhalaf, and T. Bultan. 2010. Stranger: An automata-based string analysis tool for PHP. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST). 154\u2013157."},{"key":"e_1_2_2_159_1","doi-asserted-by":"publisher","DOI":"10.1145\/2522920.2522926"},{"key":"e_1_2_2_160_1","unstructured":"NVD. 2019. The U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). Retrieved from https:\/\/nvd.nist.gov\/.  NVD. 2019. The U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). Retrieved from https:\/\/nvd.nist.gov\/."},{"key":"e_1_2_2_161_1","unstructured":"Bugzilla. 2019. A software to manage software development. Retrieved from https:\/\/www.bugzilla.org\/.  Bugzilla. 2019. A software to manage software development. Retrieved from https:\/\/www.bugzilla.org\/."},{"key":"e_1_2_2_162_1","unstructured":"NIST. 2019. National Institute of Standards and Technology. Retrieved from http:\/\/www.nist.gov\/.  NIST. 2019. National Institute of Standards and Technology. Retrieved from http:\/\/www.nist.gov\/."},{"key":"e_1_2_2_163_1","volume-title":"The BodgeIt Store. Retrieved on","author":"Psiinon S. B.","year":"2020","unstructured":"S. B. Psiinon . 2020. Bodgeit. The BodgeIt Store. Retrieved on 17 February , 2020 from https:\/\/github.com\/psiinon\/bodgeit. S. B. Psiinon. 2020. Bodgeit. The BodgeIt Store. Retrieved on 17 February, 2020 from https:\/\/github.com\/psiinon\/bodgeit."},{"key":"e_1_2_2_164_1","volume-title":"Retrieved on","author":"Platform Kanakiya","year":"2021","unstructured":"Kanakiya P.2021. Openmrs-module-legacyui. OpenMRS Platform . Retrieved on 30 June , 2021 from https:\/\/github.com\/openmrs\/openmrs-module-legacyui\/blob\/master\/omod\/src\/main\/webapp\/login.jsp. Kanakiya P.2021. Openmrs-module-legacyui. OpenMRS Platform. Retrieved on 30 June, 2021 from https:\/\/github.com\/openmrs\/openmrs-module-legacyui\/blob\/master\/omod\/src\/main\/webapp\/login.jsp."},{"key":"e_1_2_2_165_1","unstructured":"Regain. 2019. A search engine. Retrieved from http:\/\/regain.sourceforge.net\/.  Regain. 2019. A search engine. Retrieved from http:\/\/regain.sourceforge.net\/."},{"key":"e_1_2_2_166_1","volume-title":"CSIC 2010. 2021","author":"HTTP","year":"2021","unstructured":"HTTP dataset CSIC 2010. 2021 . A testbed. Retrieved on 30 June , 2021 fromhttps:\/\/www.kaggle.com\/ispangler\/csic-2010-web-application-attacks. HTTP dataset CSIC 2010. 2021. A testbed. Retrieved on 30 June, 2021 fromhttps:\/\/www.kaggle.com\/ispangler\/csic-2010-web-application-attacks."},{"key":"e_1_2_2_167_1","volume-title":"Suite-9408 PHP source code","author":"Stivalet B.","year":"2019","unstructured":"B. Stivalet . Suite-9408 PHP source code . 2019 . A test suite. Retrieved on 12 August, 2019 from https:\/\/github.com\/stivalet\/PHP-Vulnerability-test-suite. B. Stivalet. Suite-9408 PHP source code. 2019. A test suite. Retrieved on 12 August, 2019 from https:\/\/github.com\/stivalet\/PHP-Vulnerability-test-suite."},{"key":"e_1_2_2_168_1","unstructured":"IBM Security AppScan. 2021. An enterprise scanner Retrieved from https:\/\/www.ibm.com\/common\/ssi\/ShowDoc.wss?docURL=\/common\/ssi\/rep_sm\/9\/897\/ENUS5724-T59\/index.html.  IBM Security AppScan. 2021. An enterprise scanner Retrieved from https:\/\/www.ibm.com\/common\/ssi\/ShowDoc.wss?docURL=\/common\/ssi\/rep_sm\/9\/897\/ENUS5724-T59\/index.html."},{"key":"e_1_2_2_169_1","unstructured":"NIST. 2019. Juliet Test Suite. Retrieved from https:\/\/samate.nist.gov\/SRD\/testsuite.php.  NIST. 2019. Juliet Test Suite. Retrieved from https:\/\/samate.nist.gov\/SRD\/testsuite.php."},{"key":"e_1_2_2_170_1","unstructured":"M. Gegick and S. Barnum. 2013. Securing the Weakest Link Retrieved from https:\/\/us-cert.cisa.gov\/bsi\/articles\/knowledge\/principles\/securing-the-weakest-link.  M. Gegick and S. Barnum. 2013. Securing the Weakest Link Retrieved from https:\/\/us-cert.cisa.gov\/bsi\/articles\/knowledge\/principles\/securing-the-weakest-link."},{"key":"e_1_2_2_171_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2008.01.006"},{"key":"e_1_2_2_172_1","volume-title":"Top 10 Programming Languages for Web Development","author":"Software","year":"2020","unstructured":"Software development blogs. 2020. Top 10 Programming Languages for Web Development in 2020 . Retrieved on 12 August, 2020 from https:\/\/intersog.com\/blog\/top-10-programming-languages-for-web-development-in-2020\/. Software development blogs. 2020. Top 10 Programming Languages for Web Development in 2020. Retrieved on 12 August, 2020 from https:\/\/intersog.com\/blog\/top-10-programming-languages-for-web-development-in-2020\/."},{"key":"e_1_2_2_173_1","volume-title":"Top 5 programming languages for web development in 2021 Retrieved on","year":"2021","unstructured":"Javinpaul. 2021. Top 5 programming languages for web development in 2021 Retrieved on 30 June , 2021 from https:\/\/medium.com\/javarevisited\/top-5-programming-languages-for-web-development-in-2021-f6fd4f564eb6. Javinpaul. 2021. Top 5 programming languages for web development in 2021 Retrieved on 30 June, 2021 from https:\/\/medium.com\/javarevisited\/top-5-programming-languages-for-web-development-in-2021-f6fd4f564eb6."}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3474553","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3474553","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:18:50Z","timestamp":1750191530000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3474553"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,8]]},"references-count":173,"journal-issue":{"issue":"9","published-print":{"date-parts":[[2022,12,31]]}},"alternative-id":["10.1145\/3474553"],"URL":"https:\/\/doi.org\/10.1145\/3474553","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,10,8]]},"assertion":[{"value":"2020-03-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-07-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-10-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}